A pictorial illustration of conventional

cryptography

Lars Ramkilde Knudsen

March 1993

Abstract

In this pap er we consider conventional cryptosystems. We illus-

trate the di erences b etween substitution, transp osition and pro duct

ciphers by showing encryptions of a highly redundant cleartext, a p or-

trait. Also it is pictorially demonstrated that no conventional cryp-

tosystem in its basic mo de provides sucient security for redundant

cleartexts.

1 Intro duction

The history of cryptography is long and go es back at least 4,000 years to

the Egyptians, who used hieroglyphic co des for inscription on tombs [2].

Since then many ciphers have b een develop ed and used. Many of these old

ciphers are much to o weak to be used in applications to day, b ecause of the

tremendous progress in computer technology. Until 1977 all ciphers were

so-called one-key ciphers or conventional ciphers. In these ciphers the keys

for encryption and decryption are identical or easily derived from each other.

In 1977 Die and Hellman intro duced two-key ciphers or public-key ciphers,

where the knowledge of one key gives no knowledge ab out the other key. In

this pap er we consider only conventional ciphers. We divide these ciphers

into three groups: Substitution Ciphers, Itansp osition Ciphers and Pro duct

Ciphers. For each group we consider a sp eci c cipher and give a pictorial 1

illustration of an encryption. Finally we give an illustration that the strong

conventional cipher, DES, in its basic mo de is insucient to ensure protection

when used on a large plaintext.

Notation:

Let A and A b e the alphab ets for plaintexts and ciphertexts, resp ectively.

M C

Let M = m ;m ;:::;m be a n-character plaintext, s.t. for every i; m 2

0 1 n1 i

A and let C = c ;c ;:::;c be a ciphertext, s.t. for everv i; c 2A

M 0 1 n1 C

2 Substitution systems

As indicated in the name every plaintext character is substituted by some

ciphertext character. There are four kinds of substitution ciphers.

 Simple substitution

 Polyalphab etic substitution

 Homophonic substitution

 Polygram substitution

We restrict ourselves to consider the rst two kinds.

2.1 Simple substitution

In a cipher with a simple substitution each plaintext character is transformed

into a ciphertext character via the same function f. More formally, 8i :

0  i

f : A !A

M C

c =fm 

i i

As an example the following 2

2.1.1 Caesar substitution

It is b elieved that Julius Caessr encrypted messages by shifting

every letter in the plaintext 3 p ositions to the right in the alphab et.

This cipher is based on shifted alphabets, i.e. A = A , and is in

M C

general de ned as follows

f m =m +k mo d jAMj

i i

For the Caesar cipher the secret key k is the number 3. In general,

the cipher is easily broken in at most j AM j trials. Shift the

ciphertexts one p osition until the Plaintext arises.

2.2 Polyalphab etic substitution

In a p olyalphab etic substitution the plaintext characters are trans-

formed into ciphertext characters using a j -character key K =

k ;:::;k , which de nes j distinct functions F :::;F . More

0 j1 k k

0

j1

formally 8i :0

f : A !A 8l :0l

kl M C

c =f m :

i k i

imo dj

As an example the following

2.2.1 The Vigenere cipher

The Vigenere cipher was rst published in 1586. In 1917 in an

article in Scienti c American the cipher was claimed to b e \imp os-

sible of translation" [Denning].

Let us assume again that A = A Then the Vigenere cipher is

M C

de ned as follows

c = f m =m +k mo d jA j

i k i i imo dj M

imo dj

Vigenere ciphers can b e broken when enough ciphertext is available

to the cryptanalyst index of coincidence, Kasiski's metho d. 3

3 Transp osition systems

Transp osition systems are essentially p ermutations of the plaintext

characters. Therefore A = A . A transp osition cipher is de ned

M C

as follows 8i : O  i

f : A !A

M M

: f0;:::;n 1g! f0;:::;n 1g a p ermutation

c : f m = m

i i i

Many transp osition ciphers p ermute characters with a xed p erio d

j . In that case

f : A !A

M M

: f0;:::;j 1g!f0;:::;j 1g a p ermutation

c : f m = m

i i

idivj+ imo dj

A convenient way to express the p ermutation i in easily memo-

rable form is byakey word. The alphab etic order of the key charac-

ters then de nes the p ermutation. For example the key K=LARS

would represent the p ermutation i = f1; 0; 2; 3g. Consider the

following transp osition cipher

3.1 Row transp osition cipher

Let the key be K = k ;


;k . The plaintext is divided into blo cks

1 d

of d characters, and each blo ck is p ermuted according to the al-

phab etic order of the characters in the key. Let us consider an

example:

Example : Let d =4, the key K = IV AN and the plaintext

M = NOTASTRONGCIPHER 4

I V A N

1 3 0 2

O A N T

T O S R

G I N C

H R P E

The ciphertext is

C = OANTTOSRGINCHRPE

We can do slightly b etter with the same key by combining row

transp osition with columnar transp osition. Consider

3.2 Row and columnar transp osition ciphers

Let the key be K = k ;:::;k . The plaintext is divided into blo cks

1 d

of d  d characters. Each blo ck is written into a d  d matrix by

rows according to the alphab etic order of the characters in the key.

Then the ciphertexts is read from the matrix by columns according

again to the alphab etic order of the characters in the key, thus the

2

p erio d of the cipher b ecomes d . Let us consider an example:

Example : Let d =4, the key K=IVAN and the plaintext

M = NOTASTRONGCIPHER

M = NOTASTRONGCIPHER

I V A N

1 3 0 2

I 1 O A N T

V 3 T O S R

G I N C A 0

N 2 H R P E 5

The ciphertext read out from the matrix is

C = GINCOANTHRPETOSR

l ansp osition ciphers can be broken, however, using tables of fre-

quency distribution for digrams and trigrams.

4 Pro duct systems

An obvious attempt to make stronger ciphers than the ones we've

seen so far, is to combine substitution and transp osition ciphers.

These ciphers are called pro duct cipher. Many pro duct ciphers

has b een develop ed, including Rotor machines. We restrict our-

selves to a short description of the most famous pro duct cipher

ever develop ed.

4.1 Data Encryption Standard

In 1977 15.01.77 the National Bureau of Standards in the U.S.

published the Data Encryption Standard DES. The DES consists

of 16 rounds of p ermutations and substitutlons. The DES encrypts

64 bit plaintexts into 64 bit ciphertexts using a 56 bit key. It Is

beyond the scop e of this pap er to go further into details ab out the

construction of the DES. We refer to the references in this pap er.

The basic mo de of DES, the Electronic Co de Bo ok ECB Mo de,

is de ned as follows

c = DE S m 

i k i

In other words c is the 64 bit encrypted value of the 64 bit plain-

i

text m i using the 56 bit key k . The next section illustrates,

that this mo de is insucient to ensure protection when used on a

large plaintext. For this purp ose the Cipher Blo ck Chaining CBC

Mo de is recommended 6

c = DE S m  c 

i k i i1

where c is a xed constant and  is bitwise addition mo dulo 2.

1

The b est known attack on DES so far was published in 1991 by

E. Biham and A. Shamir [Biham]. It nds the secret key, but

47

requires 2 chosen plaintexts. This is a very weak and unrealistic

attack. In favour of the DES it should be noted, that the attacks

on the ciphers mentioned in the preceding two Sections are known

ciphertext attacks. These ciphers are trivially broken in a chosen

plaintext attack.

5 The illustrations

We consider the encryptions of a data- le 'FRAZETTA'. The le

consists of 22080 characters of each 8 bits and is pictured in Figure

1. As can be seen the le contains redundancy. The Figures 2-

7 show the ciphertexts obtained by using the ciphers discussed

earlier. The one-time pad is the only cipher, which is p erfect in

the sense of Shannons theory. The cipher is de ned as follows

c = m  k

i i i

The obvious disadvantage is the long key. For 'FRAZETTA' we

need a 22080 byte key. Figure 8 is a ciphertext obtained using the

one-time pad and is included for comparison.

5.1 Comments on the gures

Ad. Fig. 2-5: These four gures illustrates that the four ciphers do

not provide sucient protection. The redundancy in the plaintext

is more or less transferred to the ciphertexts. Ad. Fig. 6: In order

to illustrate the inadequacy of the ECB Mo de only blo cks of 8 bits

m  are encrypted. That is, let 8msb be a function that returns

i

the 8 most signi callt bits of a message. The ciphertext in Fig. 7

is de ned 7

c =8msbDE S m k 56 zeros

i k i

Note that although protection is not obtained, the key remains

secret, in contrast to the ciphers in Fig. 2-5.

Ad. Fig. 7: In order to illustrate the e ect of using CBC instead

of ECB, this ciphertext is de ned

c =8msbDE S m  c k 56 zeros

i k i i1

Ad. Fig. 8: The ideal ciphertext.

For illustrations order hardcopy.

References

[Denning] D. E. Denning.1982

Crvptography and Data Security.

Addison-Wesley Pnblishing Company, Inc.

[David] D.W. Davies and W.L. Price 1989

Security for Computer Networks

John Wiley & Sons

[Biham] Eli Biham, Adi Shamir 1976

Di erential Cryptanalysis of the full 16-Tound DES.

Technical Rep ort  708,

Technion - Israel Institute of Technology. 8